Analysis
-
max time kernel
129s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 08:29
Behavioral task
behavioral1
Sample
115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe
-
Size
554KB
-
MD5
115bb996db9134faee5b6358e5ff50bb
-
SHA1
278cb404779917b736e814b95d8f121ce539b462
-
SHA256
26cf5dff70eed09bb07d746edce747902b01d4309c0e07ed5da7e6e9eb22d26c
-
SHA512
8710332bd128e5550f38a5ae359650013b6aa24944da160f9476c6b481404e71a069be4f7b6453879fd0a43c928497023a740742a4ccdb1bbc4844735afe120c
-
SSDEEP
12288:U8kivDNfzxH79ALFkdsw6zpFNFq4PFpixVnPXTMqqZt9SRpjqKAkl/5G:NvDbbc6kzho4LGnPXTMFZ/62KAkl/5G
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2348 1VMP~1.EXE 1696 1.exe 2536 NO.exe 2696 1.exe 2764 1VMP~1.EXE 2428 1.exe 3052 1.exe -
Loads dropped DLL 18 IoCs
pid Process 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 2348 1VMP~1.EXE 2348 1VMP~1.EXE 2348 1VMP~1.EXE 1696 1.exe 2348 1VMP~1.EXE 2348 1VMP~1.EXE 2696 1.exe 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 2764 1VMP~1.EXE 2764 1VMP~1.EXE 2764 1VMP~1.EXE 2428 1.exe 2764 1VMP~1.EXE 2764 1VMP~1.EXE 3052 1.exe -
resource yara_rule behavioral1/memory/1972-0-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect behavioral1/memory/1972-3-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect behavioral1/files/0x000a000000016a29-6.dat vmprotect behavioral1/memory/2348-19-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral1/memory/2348-18-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral1/memory/2348-17-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral1/memory/1972-13-0x0000000002FA0000-0x0000000003080000-memory.dmp vmprotect behavioral1/memory/2348-29-0x0000000003310000-0x00000000037F5000-memory.dmp vmprotect behavioral1/memory/1972-52-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect behavioral1/memory/2348-54-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral1/memory/1972-58-0x0000000002FA0000-0x0000000003080000-memory.dmp vmprotect behavioral1/memory/2764-91-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral1/memory/1972-92-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" 1VMP~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" 1VMP~1.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1696 1.exe Token: SeDebugPrivilege 2536 NO.exe Token: SeDebugPrivilege 2696 1.exe Token: SeDebugPrivilege 2428 1.exe Token: SeDebugPrivilege 3052 1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2536 NO.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2348 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2348 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2348 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2348 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2348 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2348 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2348 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 28 PID 2348 wrote to memory of 1696 2348 1VMP~1.EXE 29 PID 2348 wrote to memory of 1696 2348 1VMP~1.EXE 29 PID 2348 wrote to memory of 1696 2348 1VMP~1.EXE 29 PID 2348 wrote to memory of 1696 2348 1VMP~1.EXE 29 PID 2348 wrote to memory of 1696 2348 1VMP~1.EXE 29 PID 2348 wrote to memory of 1696 2348 1VMP~1.EXE 29 PID 2348 wrote to memory of 1696 2348 1VMP~1.EXE 29 PID 2536 wrote to memory of 2628 2536 NO.exe 31 PID 2536 wrote to memory of 2628 2536 NO.exe 31 PID 2536 wrote to memory of 2628 2536 NO.exe 31 PID 2536 wrote to memory of 2628 2536 NO.exe 31 PID 2348 wrote to memory of 2696 2348 1VMP~1.EXE 32 PID 2348 wrote to memory of 2696 2348 1VMP~1.EXE 32 PID 2348 wrote to memory of 2696 2348 1VMP~1.EXE 32 PID 2348 wrote to memory of 2696 2348 1VMP~1.EXE 32 PID 2348 wrote to memory of 2696 2348 1VMP~1.EXE 32 PID 2348 wrote to memory of 2696 2348 1VMP~1.EXE 32 PID 2348 wrote to memory of 2696 2348 1VMP~1.EXE 32 PID 1972 wrote to memory of 2764 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 33 PID 1972 wrote to memory of 2764 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 33 PID 1972 wrote to memory of 2764 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 33 PID 1972 wrote to memory of 2764 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 33 PID 1972 wrote to memory of 2764 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 33 PID 1972 wrote to memory of 2764 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 33 PID 1972 wrote to memory of 2764 1972 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 33 PID 2764 wrote to memory of 2428 2764 1VMP~1.EXE 34 PID 2764 wrote to memory of 2428 2764 1VMP~1.EXE 34 PID 2764 wrote to memory of 2428 2764 1VMP~1.EXE 34 PID 2764 wrote to memory of 2428 2764 1VMP~1.EXE 34 PID 2764 wrote to memory of 2428 2764 1VMP~1.EXE 34 PID 2764 wrote to memory of 2428 2764 1VMP~1.EXE 34 PID 2764 wrote to memory of 2428 2764 1VMP~1.EXE 34 PID 2764 wrote to memory of 3052 2764 1VMP~1.EXE 35 PID 2764 wrote to memory of 3052 2764 1VMP~1.EXE 35 PID 2764 wrote to memory of 3052 2764 1VMP~1.EXE 35 PID 2764 wrote to memory of 3052 2764 1VMP~1.EXE 35 PID 2764 wrote to memory of 3052 2764 1VMP~1.EXE 35 PID 2764 wrote to memory of 3052 2764 1VMP~1.EXE 35 PID 2764 wrote to memory of 3052 2764 1VMP~1.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
C:\Windows\NO.exeC:\Windows\NO.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD5ccdd3e65f37bf4b53e0996450f93dd5c
SHA1ae49d7887c0d9a4d134054f780ab4feeb82b40e8
SHA25607184969a3a4af8c5eae7c492bbbbec18275ae010a1e3a5ff3a476b17350cbf3
SHA512a5252ca09bcb5f3a971659bc8bce1d3d16183aae28fb32199e6e4b9d24de37f33475addfbfa3cfafb9e4af09502c903c459ccc72d85827ab23359ca7a7d9109b
-
Filesize
359KB
MD517c12a6b4048548ac2d8f9f05707f0cc
SHA11e6e58475be22208a391182201e0e18488cf65a6
SHA2564141f3e0d6fbaa369d77f79ed67f1e306b7f18633ef7908ccfc9ff32e788895e
SHA512e21310677eb451ddbcfb5e80be1fc9ec7e205b7a129c5a34739b7e0d1008a7c1a165f9f557a5d80644d438c6906b849b7d83e2a2bf0d6c5426ec3356c8b00148